Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS rootkit


  • This topic is locked This topic is locked
16 replies to this topic

#1 flyingduck15

flyingduck15

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 19 February 2010 - 10:53 AM

Hi,

A few days ago I had a huge malware problem which involved my search result links re-directing me to an ad site, random tabs being added to my browser without me adding them which also loads ad sites, and a firefox problem where I keep getting the warning: "Warning: Unresponsive Script" which causes my laptop to freeze and perform really really slow for a few minutes.

I posted my problem on the "Am I Infected?" forum, and the person advising me concluded that my scan results were okay. I also thought my laptop was already fine, since tabs weren't randomly being added and my google searches were back to normal. However my firefox problem was still there even though I've already updated it to the latest version as per suggested. The person who kindly helped me didn't indicate if it was a malware problem, and suggested me to post my firefox problem on another sub-forum.

I did post my problem on another sub-forum, and the person there asked me if I resolved my malware infections.

I wasn't sure what to answer. I did some googling that morning, and about 1-2 times the search results re-directed me to ad-sites. Unfortunately I wasn't really paying attention, I'm not sure if the ads were set up by the website (like some sites do, they re-direct you to an ad for a couple of seconds and reloads you back to the original page) or if it were those malware redirects. Subsequent google searches hasn't redirected me on that day, but it may also be very possible it's me limiting myself a bit and not searching really thoroughly, as I'm very worried the ad sites may contain malware. The person helping me on the website sub-forum noticed I had a TDSS rootkit showing on my logs, and suggested me to come here to ensure that I've fully removed it, since it may be the cause of the early re-directions and my firefox problem.

So I did the DDS scan. But I had problems with the GMER scan, it would crash just when it's finished scanning in normal mode, so I did it in Safe Mode with Networking. And the days after I posted my problem on the web applications forum, I definitely found search link results re-directing again. I'm not sure why.. now I run rkill everytime I start my computer. However, sometimes when I run rkill, it would close this rundll program. And because of that, I can't load anything.. thought you should know.

Help me ensure the rootkit is fully removed, please? Thanks! smile.gif

For references,
My AII post: http://www.bleepingcomputer.com/forums/t/295841/your-system-is-infected-green-wallpaper/
My firefox post: http://www.bleepingcomputer.com/forums/t/296610/warning-unresponsive-script-from-firefox/

My OS: Windows XP Professional
Laptop: Acer Travelmate 6291

Summary of programs I've used:
MBAM
SAS
AVG
Rkill
GooredFix
DrWeb Cureit

-----

DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by TravelMate at 17:12:21.75 on Thu 02/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.396 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Sunbelt Software\Personal Firewall\SbPFLnch.exe
E:\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\FREEDO~1\fdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TravelMate\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - e:\free download manager\iefdm2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ffqljqie] c:\documents and settings\travelmate\local settings\application data\wiyosj\nssfsftav.exe
StartupFolder: c:\docume~1\travel~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\travel~1\startm~1\programs\startup\magicd~1.lnk - e:\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\travel~1\startm~1\programs\startup\winmys~1.lnk - d:\xampp\mysql\bin\winmysqladmin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
mPolicies-system: EnableLUA = 0 (0x0)
IE: Download all with Free Download Manager - file://e:\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://e:\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://e:\free download manager\dllink.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\eqi7XXdJXr.dll
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - f:\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli kupuruzi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\travel~1\applic~1\mozilla\firefox\profiles\q8dqqai5.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: e:\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\travelmate\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\veohtv\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-23 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-23 108552]
R1 SASDIFSV;SASDIFSV;f:\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;f:\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-2-15 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-2-15 65576]
S3 SASENUM;SASENUM;f:\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-02-16 15:52:00 119910 ----a-w- c:\windows\system32\tmp.files0
2010-02-16 04:59:26 0 d-----w- c:\documents and settings\travelmate\DoctorWeb
2010-02-15 18:53:47 0 d-----w- c:\program files\ESET
2010-02-15 04:41:31 0 d--h--w- c:\windows\PIF
2010-02-15 01:15:30 36864 ----a-w- c:\windows\system32\eqi7XXdJXr.dll
2010-02-15 00:33:22 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-02-15 00:33:21 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-02-14 20:57:19 3255 ----a-w- c:\windows\system32\wbem\Outlook_01caadb84bc5a634.mof
2010-02-14 03:32:14 0 d-----w- c:\documents and settings\all users\Microsoft PData
2010-02-04 19:25:02 0 d-----w- c:\documents and settings\travelmate\.kepler
2010-01-29 06:09:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-29 06:09:13 0 d-----w- c:\docume~1\travel~1\applic~1\SUPERAntiSpyware.com
2010-01-29 06:07:59 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-29 06:01:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-29 06:01:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-29 06:01:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 05:54:30 0 d-----w- c:\docume~1\travel~1\applic~1\Malwarebytes
2010-01-29 05:54:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 23:48:27 0 d-----w- c:\documents and settings\travelmate\KeplerData

==================== Find3M ====================

2010-02-17 00:41:00 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-14 00:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 21:51:48 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2008-10-23 23:05:03 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102420081025\index.dat

============= FINISH: 17:15:27.34 ===============

Attached Files


Edited by flyingduck15, 19 February 2010 - 11:03 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 19 February 2010 - 12:04 PM

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

CODE
Begin copying here:
Drivers to disable:
ohnrdw

Drivers to delete:
ohnrdw

Files to delete:
C:\WINDOWS\system32\bxjixnsp.dll
c:\windows\system32\eqi7XXdJXr.dll

Folders to delete:
c:\documents and settings\travelmate\local settings\application data\wiyosj


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted

The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.


Then run GMER once again and post the log here smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 20 February 2010 - 01:18 AM

Hi,

Just would like to let you know that when I ran the script with The Avenger, my wireless and firewall (I use Sunbelt Kerio) went a bit haywire after restarting the laptop. My Sunbelt Kerio would fail to initialize and although the wireless icon on my toolbar would appear to be connected I could not access any websites. I restarted a few times and no dice. I tried the network repair thing on SAS, and after the second restart my wireless and firewall was fine. Unsure if this was because of The Avenger/malware/my laptop being weird, but again just in case if this is important information for you. I also did GMER on safe mode with networking with the same selections as in the pinned guide (unchecked section, IAT, and only scanned files in C:).

Onto the logs.

Avenger Log

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "ohnrdw" disabled successfully.
Driver "ohnrdw" deleted successfully.

Error: file "C:\WINDOWS\system32\bxjixnsp.dll" not found!
Deletion of file "C:\WINDOWS\system32\bxjixnsp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\eqi7XXdJXr.dll" deleted successfully.

Error: folder "c:\documents and settings\travelmate\local settings\application data\wiyosj" not found!
Deletion of folder "c:\documents and settings\travelmate\local settings\application data\wiyosj" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

-------------------------------------

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 17:02:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TRAVEL~1\LOCALS~1\Temp\kweyyaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xF6C64160]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xF6C63868]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xF6C60320]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xF6C62E90]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xF6C62D9C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xF6C633FC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xF6C64210]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xF6C60786]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xF6C60846]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xF6C63B54]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xF6C605CA]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xF6C634EC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xF6C63E8C]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xF6C609BC]
SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xF6C63DE0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

Device \FileSystem\Cdfs \Cdfs F64CA400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@DisplayName Driver Support
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw@Description Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\ohnrdw\Parameters@ServiceDll C:\WINDOWS\system32\bxjixnsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@DisplayName Driver Support
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw@Description Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\ohnrdw\Parameters@ServiceDll C:\WINDOWS\system32\bxjixnsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@DisplayName Driver Support
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw@Description Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\ohnrdw\Parameters@ServiceDll C:\WINDOWS\system32\bxjixnsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00197ee17e6d (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00197ee17e6d@0012eec1ffd6 0x53 0x4E 0xD2 0xDE ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00197ee17e6d@001d4f8d4725 0x3B 0xFF 0xE4 0x4F ...
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00197ee17e6d@001d6069cd54 0x2B 0xEC 0x1D 0x53 ...
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@DisplayName Driver Support
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@Type 32
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@Start 2
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw@Description Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\ohnrdw\Parameters@ServiceDll C:\WINDOWS\system32\bxjixnsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee17e6d
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee17e6d@0012eec1ffd6 0x53 0x4E 0xD2 0xDE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee17e6d@001d4f8d4725 0x3B 0xFF 0xE4 0x4F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee17e6d@001d6069cd54 0x2B 0xEC 0x1D 0x53 ...
Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\00197ee17e6d (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\00197ee17e6d@0012eec1ffd6 0x53 0x4E 0xD2 0xDE ...
Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\00197ee17e6d@001d4f8d4725 0x3B 0xFF 0xE4 0x4F ...
Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\00197ee17e6d@001d6069cd54 0x2B 0xEC 0x1D 0x53 ...

---- EOF - GMER 1.0.15 ----

Edited by flyingduck15, 20 February 2010 - 01:18 AM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 20 February 2010 - 01:31 AM

Uninstall Sunbelt Kerio for now.. You may reinstall it later.. Then do below..


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 20 February 2010 - 02:32 AM

Hi,

Thanks for your quick reply. Sorry I know I should have followed your instructions line for line but I didn't uninstall my firewall. sad.gif I read the instructions you posted below, I thought only disabling the firewall would be okay. Combofix rebooted my laptop and when it was loading the log there was a warning from sunbelt kerio that it blocked something from combofix.. and i thought i had already disabled it and the icon wasn't in the tray. Really sorry, hope that didn't mess things up too much. sad.gif

ComboFix 10-02-19.04 - TravelMate 02/20/2010 18:04:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.612 [GMT 11:00]
Running from: c:\documents and settings\TravelMate\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sunbelt Personal Firewall *disabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft PData
c:\documents and settings\TravelMate\Start Menu\Programs\Startup\MagicDisc.lnk
c:\windows\EventSystem.log
c:\windows\run.log
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\nsprs.dll
c:\windows\system32\ssprs.dll
c:\windows\Tasks\mqhkgsau.job
E:\rkill.pif

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-19 18:27 . 2010-02-19 18:27 -------- d-----w- c:\documents and settings\TravelMate\.kepler
2010-02-17 18:09 . 2010-02-17 21:23 -------- d-----w- c:\documents and settings\Dan Higgins\.kepler
2010-02-17 18:09 . 2010-02-17 18:09 -------- d-----w- c:\documents and settings\Dan Higgins
2010-02-16 04:59 . 2010-02-16 08:16 -------- d-----w- c:\documents and settings\TravelMate\DoctorWeb
2010-02-15 18:53 . 2010-02-15 18:53 -------- d-----w- c:\program files\ESET
2010-02-15 04:41 . 2010-02-15 04:41 -------- d--h--w- c:\windows\PIF
2010-02-15 02:31 . 2010-02-18 06:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-15 00:33 . 2008-06-20 17:54 65576 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2010-02-15 00:33 . 2008-10-30 20:09 270888 ----a-r- c:\windows\system32\drivers\SbFw.sys
2010-01-29 06:09 . 2010-01-29 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-29 06:09 . 2010-01-29 06:09 -------- d-----w- c:\documents and settings\TravelMate\Application Data\SUPERAntiSpyware.com
2010-01-29 06:07 . 2010-01-29 06:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-29 06:01 . 2010-01-07 05:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-29 06:01 . 2010-02-14 20:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 06:01 . 2010-01-07 05:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-29 05:54 . 2010-01-29 05:54 -------- d-----w- c:\documents and settings\TravelMate\Application Data\Malwarebytes
2010-01-29 05:54 . 2010-01-29 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 06:49 . 2009-06-24 15:38 -------- d-----w- c:\documents and settings\TravelMate\Application Data\Free Download Manager
2010-02-20 04:27 . 2009-06-18 14:15 -------- d-----w- c:\documents and settings\TravelMate\Application Data\Skype
2010-02-20 00:04 . 2009-06-18 14:17 -------- d-----w- c:\documents and settings\TravelMate\Application Data\skypePM
2010-02-17 00:41 . 2007-08-15 10:43 277784 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-17 00:37 . 2007-08-29 17:22 -------- d-----w- c:\program files\mIRC
2010-02-15 04:49 . 2010-01-29 06:10 117760 ----a-w- c:\documents and settings\TravelMate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-14 21:40 . 2009-11-30 12:23 -------- d-----w- c:\documents and settings\TravelMate\Application Data\uTorrent
2010-02-05 04:33 . 2007-10-03 02:59 -------- d-----w- c:\documents and settings\TravelMate\Application Data\Apple Computer
2010-02-05 02:15 . 2008-12-24 14:11 -------- d-----w- c:\program files\EasyPHP1-8
2010-01-29 06:10 . 2010-01-29 06:10 52224 ----a-w- c:\documents and settings\TravelMate\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-27 15:54 . 2008-05-18 04:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 23:37 . 2007-10-08 15:27 -------- d-----w- c:\documents and settings\TravelMate\Application Data\AdobeUM
2010-01-18 21:21 . 2010-01-18 21:13 -------- d-----w- c:\program files\PlayFLV
2010-01-14 00:12 . 2009-10-04 00:46 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 18:48 . 2007-10-26 11:13 -------- d-----w- c:\program files\Java
2010-01-08 18:53 . 2010-01-08 18:53 -------- d-----w- c:\program files\SlikSvn
2010-01-05 21:57 . 2010-01-05 21:55 -------- d-----w- c:\documents and settings\TravelMate\Application Data\TrueCrypt
2010-01-05 21:52 . 2010-01-05 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\TrueCrypt
2010-01-05 21:51 . 2010-01-05 21:51 223440 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2010-01-05 21:51 . 2010-01-05 21:51 -------- d-----w- c:\program files\TrueCrypt
2010-01-05 05:18 . 2009-11-07 12:54 96 ---ha-w- c:\windows\system32\HsInfo.dat
2010-01-05 04:43 . 2008-02-24 07:17 35 ----a-w- c:\windows\popcinfo.dat
2009-12-23 03:54 . 2009-12-23 03:54 -------- d-----w- c:\program files\KingsIsle Entertainment
2009-12-23 03:54 . 2007-08-28 03:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 19:14 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-03 23:04 . 2009-12-03 23:04 249856 ----a-w- c:\documents and settings\TravelMate\Application Data\Sun\Java\Deployment\cache\6.0\62\5afbe3fe-30904ff9-n\lwjgl64.dll
2009-12-03 23:04 . 2009-12-03 23:04 153600 ----a-w- c:\documents and settings\TravelMate\Application Data\Sun\Java\Deployment\cache\6.0\62\5afbe3fe-30904ff9-n\lwjgl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-01 23:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-17 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

c:\documents and settings\TravelMate\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-28 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-8-28 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-3 210520]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2008-9-5 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\superantispyware\SASSEH.DLL" [2008-05-12 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 03:21 548352 ----a-w- f:\superantispyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-30 02:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_03\\jre\\bin\\java.exe"=
"e:\\VeohTV\\VeohClient.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"e:\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_22\\jre\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre1.5.0_22\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"f:\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Java\\jdk1.5.0_22\\bin\\javaw.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2009 11:34 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2009 11:34 AM 108552]
R1 SASDIFSV;SASDIFSV;f:\superantispyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;f:\superantispyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2/15/2010 11:33 AM 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [6/21/2008 4:54 AM 66600]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/23/2009 11:33 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/26/2009 11:49 AM 297752]
R2 SbPF.Launcher;SbPF.Launcher;e:\sunbelt software\Personal Firewall\SbPFLnch.exe [10/31/2008 7:24 AM 95528]
R2 SPF4;Sunbelt Personal Firewall 4;e:\sunbelt software\Personal Firewall\SbPFSvc.exe [10/31/2008 7:24 AM 1365288]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2/15/2010 11:33 AM 65576]
S2 Apache2.2;Apache2.2;"d:\xampp\apache\bin\apache.exe" -k runservice --> d:\xampp\apache\bin\apache.exe [?]
S3 rk_remover;rk_remover;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
S3 SASENUM;SASENUM;f:\superantispyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ohnrdw
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 07:57]

2010-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1677128483-839522115-1003Core.job
- c:\documents and settings\TravelMate\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 23:09]

2010-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-790525478-1677128483-839522115-1003UA.job
- c:\documents and settings\TravelMate\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-14 23:09]

2010-02-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
IE: Download all with Free Download Manager - file://e:\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://e:\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://e:\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://e:\free download manager\dllink.htm
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
FF - ProfilePath - c:\documents and settings\TravelMate\Application Data\Mozilla\Firefox\Profiles\q8dqqai5.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: e:\free download manager\Firefox\Extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\TravelMate\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\veohtv\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ffqljqie - c:\documents and settings\TravelMate\Local Settings\Application Data\wiyosj\nssfsftav.exe
AddRemove-BlueJ_is1 - c:\bluej\uninst\unins000.exe
AddRemove-mIRC - c:\program files\mIRC\mirc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 18:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2016)
f:\superantispyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1856)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
e:\sunbelt software\Personal Firewall\SbPFCl.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-02-20 18:28:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 07:28

Pre-Run: 1,798,459,392 bytes free
Post-Run: 1,955,282,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 0396C51867773CA2487334204C0C6D3B


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 20 February 2010 - 04:55 AM

So, how's the computer now? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 20 February 2010 - 01:28 PM

Hi,

Wow well no random tabs have been added and it seems the search result redirection is not happening any more! *hope its for real this time* Do my logs look okay? My firefox still has that warning popping up (it's only on certain sites, I don't get them on browsing this site or forums livejournal.. one site I notice the warning going on is on yahoo mail), so maybe thats not because of malware after all?

Thank you very much!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 20 February 2010 - 08:43 PM

QUOTE
(it's only on certain sites, I don't get them on browsing this site or forums livejournal.. one site I notice the warning going on is on yahoo mail)


can you show me the screenshot of the pop-ups? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 February 2010 - 12:20 AM

Attached is the screenshot, thanks. smile.gif

Attached Files

  • Attached File  WUS.JPG   127.21KB   8 downloads


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 21 February 2010 - 06:12 AM

Please navigate below links and try all suggestion there (one by one) and tell me if any of those links resolved the problem smile.gif

http://support.mozilla.com/en-US/kb/warnin...sponsive+script
http://kb.mozillazine.org/Unresponsive_Script_Warning
http://lifehacker.com/162574/put-off-firef...script-dialogue
http://computersservicing.blogspot.com/200...ive-script.html

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 February 2010 - 10:13 PM

Hi,

It has been a bit weird.. throughout most of my browsing today and loading Yahoo!Mail very rarely the warning came up (and this is also when I have not tried the solutions you linked me to). It only showed like 1-2 times and that was when my laptop was already running a bit slow. Now I'm confused.. But regardless I tried out the links anyway.

I did the about:config solution, and turns out the value to the variable to be set (which was dom.maxscript-something) was already what was recommended on the site (20), so I didn't change anything. I've updated to the latest version which was what the solution on the last link. I did not download YesScript, because one of the sites that the warning comes up is Yahoo!Mail which is my primary personal email address, and the javascript there has not given me any problems before. I also do not use any add-ons which is on the list on 2 of the sites you linked.

Another thing I should raise is this problem only stated when I downloaded a bunch of programs for my laptop malware issue. What I'm suspecting is.. could the problem be caused by my Sunbelt Kerio firewall? I've been browsing sites with my firewall mostly disabled (it makes facebook unable to load properly, I can't browse deviantart, it blocks certain images from being shown, etc), and I think no warnings showed up then..

Right now I'm enabling my firewall and loading yahoo!mail, but so far no warning has popped up.. am a bit confused as like I said I technically did not change anything..

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 22 February 2010 - 09:14 AM

Another thing I should raise is this problem only stated when I downloaded a bunch of programs for my laptop malware issue. What I'm suspecting is.. could the problem be caused by my Sunbelt Kerio firewall? I've been browsing sites with my firewall mostly disabled (it makes facebook unable to load properly, I can't browse deviantart, it blocks certain images from being shown, etc), and I think no warnings showed up then..

Does that happens with Sunbelt Kerio enabled or disabled? smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 22 February 2010 - 10:13 AM

That happens when it's enabled.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 22 February 2010 - 10:19 AM

Ok, uninstall Sunbelt Kerio and replace it with PC Tools Firewall Plus.. Link below..

http://www.pctools.com/firewall/

then after install, reboot your computer and tell me how it goes smile.gif

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 flyingduck15

flyingduck15
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 25 February 2010 - 01:06 PM

Hi,

Sorry for the slow reply, I've been a bit busy these past few days. I uninstalled Subelt Kerio and installed PC Tools Firewall.. and there seems to be no warnings coming up! :D My laptop performance is fine as well, so far no redirections or random tabs being added is occurring. Thank you very much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users